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[57] ABSTRACT 

A method for sending a secure messQe in a telecommuni- 
cations system utilizing public encryption keys. All authen- 
tication parameters of each of the users, including each 
user's decryption key that is known only to the user, are used 
to verify, by public key methods, the identity of a user 
sending a communication to another user of the system. 
During the authentication process, an encryption key for use 
in communications between the two users may also be 
generated. The generated encryption key may be a private 
session key. Once the initial authentication is completed, the 
private session key can be used to perform encryption that 
is less computationally demanding than public key methods. 
In an embodiment of the invention, two communicating 
users may use the method to authenticate each other and 
generate an encryption key that is used to encrypt subse- 
quent communications between the users. During the pro- 
cess of this embodiment, two encryption keys are generated. 
A first encryption key is used only in the authentication 
process, and a second encryption key is used in both the 
authentication process and as the key for encrypting subse- 
quent communications. Use of two encryption keys requires 
that each of the two users apply its decryption key to 
complete the authentication and encryption key agreement 
process successfully. 

4 Claims, 4 Drawing Sheets 
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METHOD FOR SECURE COMMUNICATION 
IN A TELECOMMUNICATIONS SYSTEM 

This application is a continuation of U.S. application Ser. 
No. 08/796,613, filed Feb. 7, 1997, now U.S. Pat. No. 5 
5,915,021. 

FIELD OF THE INVENTION 

This invention relates to secure communications in tele- 
communications systems and, more particularly, to a method 
for secure communications between users operating in a 10 
telecommunications system utilizing public key algorithms. 

BACKGROUND OF THE INVENTION 

Advances in telecommunications systems technology 
have resulted in a variety of telecommunications systems 15 
and services being available for use. These systems include 
cellular telephone networks, personal communications 
systems, various paging systems, and various wireline and 
wireless data networks. Cellular telephone networks cur- 
rently in use in the United States include the AMPS analog 20 
system, the digital IS-136 time division multiplexed 
(TDMA) system, and the digital IS-95 digital code division 
multiplexed (CDMA) system. In Europe the Global Services 
for Mobile (GSM) digital system is most widely used. These 
cellular systems operate in the 800-900 MHz range. Per- 2 $ 
sonal communications systems (PCS) are also currently 
being deployed in the United States, Many PCS systems are 
being developed for the 1800-900 MHz range, with each 
based on one of the major cellular standards. 

In each of the above-mentioned telecommunications 3 q 
systems, it may often be desirable for the operators of the 
system to provide secure communications to users of the 
system. The provision of secure communications may 
include authentication and encryption key agreements 
between two mobile stations or between a base station and 35 
a mobile station operating in the system, or between any 
other two units within the network. 

In analog systems, such as AMPS, it is very difficult to 
provide secure communications. The analog nature of the 
signals carrying the communication between two users does 40 
not permit easy or efficient encryption. In fact in standard 
AMPS, no encryption is used and communications sent 
between a mobile station and base station may be monitored 
and intercepted. Anyone having a receiver capable of tuning 
to the frequencies used for the communication channels may 45 
intercept a message at any time, without being detected. The 
possibility of interception has been one negative factor 
connected with analog systems such as AMPS. Because of 
this potential for interception, AMPS-type systems have not 
been favored for certain business or governmental uses, 50 
where sending a secure message is a requirement. 

The newer digital systems such as GSM, IS-136, and 
IS-95 have been developed so as to include encryption 
services for communications privacy. The digital nature of 
the speech or data signals carrying the communications 55 
between two users in these digital systems allows the signals 
to be processed through an encryption device to produce a 
communications signal that appears to be random or pseu- 
dorandom in nature, until it is decrypted at an authorized 
receiver. When it is desired to send a secure message in such 60 
a system, the encryption feature of the system can be used 
to encrypt the message. As an example, the short message 
service (SMS) feature specified in these standards could be 
used to send a text message that is encrypted according to 
the system encryption algorithm. Voice communications 65 
could also be encrypted using the system encryption algo- 
rithm. 



,689 

2 

In the GSM, IS-136, and IS-95 systems, the encryption is 
performed on message transmissions between each user and 
the system by using a secret key value, "session key," where 
the key is known only to the system and the user commu- 
nicating with the system. The system standards under con- 
sideration for PCS networks may also include encryption 
services that are based on the encryption techniques speci- 
fied in the digital standard from which a particular PCS 
standard is derived, i.e., GSM, IS-136, or IS-95. 

In GSM the system operator controls the security process 
by issuing a subscriber identity module (SIM) to each 
system user. The SIM is a plug-in chip or card that must be 
inserted into a mobile station that a user intends to make or 
receive calls through. The SIM contains a 128 -bit number 
called the Ki that is unique for each user. The Ki is used for 
both authentication and deriving an encryption key. In GSM 
a challenge and response procedure is used to authenticate 
each user and generate encryption bits from Ki for the user. 
The challenge and response procedure may be executed at 
the discretion of the home system. 

When a GSM mobile is operating in its home system, and 
after the user has identified himself by sending in his 
international mobile system identity/temporary mobile sys- 
tem identities (IMSI/TMSl), a 128 -bit random number 
(RAND) is generated in the system and combined with the 
mobile user's Ki to generate a 32-bit response (SRES). The 
system then transmits RAND to the mobile which, in turn, 
computes its own SRES value from the mobile user's Ki, 
and transmits this SRES back to the system. If the two SRES 
values match, the mobile is determined to be authentic. 
Encryption bits for communications between the mobile and 
systems are generated in both the mobile and network by 
algorithms using RAND and Ki to produce an encryption 
key "Kc." Kc is then used at both ends to encrypt and 
decrypt communications and provide secure communica- 
tions. When a GSM mobile is roaming, the RAND, SRES 
and Kc values are transferred to a visited system upon 
registration of the user in the visited system, or upon a 
special request from a visited system. The Ki value is never 
available other than in the home system and the user's SIM. 

The IS-136 and IS-95 authentication and encryption pro- 
cedures are identical to each other and are similar to the 
GSM authentication and encryption procedures. In IS-136 
and IS-95 systems a challenge response method is also 
utilized. The IS-136 and IS-95 method utilizes a security key 
called the "A-key." The 64-bit A-key for each mobile is 
determined by the system operators. The A-key for each 
mobile is stored in the home system of the mobile's owner 
and in the mobile itself. The A-key may be initially com- 
municated to the mobile owner in a secure manner, such as 
the United States mail. The owner can then enter the A-key 
into the mobile via the keypad. Alternatively, the A-key may 
be programmed into the mobile station at the factory or place 
of service. The A-key is used to generate shared secret data 
(SSD) in both of the mobile and the home system from a 
predetermined algorithm. SSD for each mobile may be 
periodically derived and updated from the A-key of that 
particular mobile by use of an over-the-air protocol that can 
only be initiated by the home system operator. 

In IS-136 and IS-95 authentication and encryption, a 
32-bit global challenge is generated and broadcast at pre- 
determined intervals within systems in the service area of 
the mobile. When a mobile attempts system registration/call 
setup access in the home system, the current global chal- 
lenge response is used to compute, in the mobile, an 18 -bit 
authentication response from the mobile's SSD. An access 
request message, including the authentication response and 
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a call count value for the mobile, is then sent to the home i.e., decrypt a message encrypted using the intended receiv- 

system from the mobile. Upon receiving the access request ing user's encryption key. In order to send a secure message 

the home system will compute its own response value using to an intended receiver a user would encrypt the message 

the global challenge and the mobile's SSD. If the mobile is us i D g the intended receiver's encryption key before sending 

verified as authentic, by comparison of the authentication 5 tne message. When the intended receiver received the 

responses, the mobile's SSD and other relevant data, includ- encrypted message, the intended receiver would decrypt the 

ing the call count value, the mobile is registered. message using the intended receiver's decryption key. In a 

When a mobile attempts system registration/call setup public key encrypt i on telecommunication system, the user 

access in a visited system, the current global challenge would be a]lowed to kcep the decryption key to himself, 

response is used to compute, in the mobile, the 18-bit 10 away from basc stat ions or the system. Since the key 

authentication response from the mobile's SSD. An access neccssary for decrypting a message is known only to the 

request message is then sent to the visited system from the rcce i v ing user, public key encryption methods could provide 

mobile. For initial registration accesses in a visited system, more secure communications than arc obtainable with the 

the access request message includes the authentication currcnt cncrypt i on techniques being used in, for example, 

response computed in the mobile. The authentication 15 Q§y[ IS-136 or IS-95 

response and global challenge are then sent to the home r»t_i-i LJ jljjjj 

* f jl l'1 l il_ i_ * -ii , Public key encryption methods provide the added advan- 

system oi the mobile, where the home system will compute . 4 l j JJL i 

.; . ,i 1 i_ i i ii tage that a message can be encoded and subsequently 

its own response value using the global challenge and the < c . , ■ , e . . 

u-1 > ccn tc i_-f ■ -a a 4 T t_ decoded by first applying the encryption key of a receiving 

mobile s SSD. If the mobile is verified as authentic, by . J V a u * ♦ • • a *u 

„, t . ,. ,-1, user to a message to encode before transmission, and then 

comparing the authentication responses, the mobile s SSD on . . , to 4 . . £ tl _ . . ' - 

i i . , , . , 4 , ., , ! • 2U applying the decryption keys of the receiving user after 

and other relevant data, including the call count value, is . j / ^ ^ . i ■ * L i 

, , . , , j L'i • ' t. a reception to decode, or, by first applying the decryption key 
then sent to the visited system and the mobile is registered. r r ! rf; . ; r , - J 
117 , n • 1 • iL * * * oi a sending user to a message to encode before 
When a call involving the mobile is set up, a current . . . ° , tt _ i • ^ c iL 
& ! .ii . t 4 it _ transmission, and then applying the encryption key of the 
authentication response value and call count are sent to the «. . • a : a a a ^ * 
r ,u u-i i ',l (L ii t • c sending user m the receiver after reception to decode. A first 
system from the mobile along with the call setup mforma- oe - & . , i • fu <s . > a 
J Tr . . ,, 4 . c *u • a 25 user can sign a message by applying the first user s decryp- 
tion. Upon receiving the call setup information, the visited . « * & , J r f/ iL ° , - Jtf , 
i • * j pnr\ j „ c Uon key to a message and send both the signed message and 
system retrieves the stored SSD and call count values for the » ,i & TT • ■ 
' \>\ Tt. ' 'i. a t iL * a copy of the message. Upon receiving the message, a 
requesting mobile. The visited system then computes an r ^ . c * 4 * & c A , J * 
? u *• *• i * c *u * *u j second user can verify that the message came from the first 
authentication response value to verify that the received , ~ t , , iiL 
cor . , , tl f * i u i l « a use r °y applying the first user s encryption key to the 
SSD value and the current global challenge produce the , n ■ a • a a *t- t_ 1 ■ . -c ^ 
lL . , j . , r r, jU received signed message, and then checking to see if the 
same response as that produced in the mobile. If the authen- w *u *u ■ . o- 

r j ii 4 u i result is the same as the received copy of the message. Since 

tication responses and call counts match, the mobile is , n , , 4 , „ 4 r/ , , t . & , 4l _ 

, „ Tr 4 . . j . j only the first user knows the first user s decryption key. the 

allowed call access. It communications security is desired, r t. j • a f \- 

i , , - , 4U u / j 4 copy of the message and the signed message (after apphca- 

an encryption key is produced in both the mobile and system r *t. 5 i \ • i_ , L j 

u • *u i i* i l ii , iU v , , ocr, . , tion of the encryption key) received by the second user will 

by using the global challenge and the mobile s SSD as input , , . c // 4L , / 

, J . i 35 be identical only if sent by the first user, 

to generate encryption key bits. 7 J 

Further background for such techniques as those used in Siace ^ decf yP^ key of each user may be kept totally 

GSM and the IS-136 and IS-95 systems may be found in the P nv , ate > secure methods of communication between users in 

article, "Techniques for Privacy and Authentication in Per- a telecommunications system that require each user to use 

sonal Communications Systems," by Dan Brown in IEEE 40 f nd ^ his/h u er decryption key, so that his/her identity can 

Personal Communications dated August 1995, at pages ^ e venfied *° the oth f u f^ ™ ul6 P r0Vlde S ood secunt y- 

g_^Q However, the use of public key encryption may require 

vi/u-i *u u a u a • * 1 a a- intensive use of computational resources in a communicat- 

While the above-desenbed private key procedures used in . . ■ . t-ii. ^ 

*u i-c\/r a *u ic 11/; Ire nc * a ing device such as a mobile phone. The use of public key 

the GSM and the IS-136 and IS-95 systems provide com- i -^. .1. . • 

... c j ■ *■ 1 algorithms to encrypt and decrypt every message or voice 

munications security, none ot these procedures is entirely 45 . 5,, . ■ „ 

. . . J 1 j . A i, c lU communication could be very computationally expensive as 

immune to interception and eavesdropping. All or the pro- , . t i i .i. j r 

j • tL * , a 1 -ir * , , ! r compared to private key algorithms. 

cedures require that a user s A-key or Ki value be known r r J & 

both in the mobile station and home system. They also It would, therefore, be advantageous to provide a method 

require that the user's SSD or Kc value be known at both for secure communications between users operating in a 

ends of the communications link, i.e., in the system and in 50 telecommunications system, in which public key methods 

the mobile. Each of these values could potentially be cor- were used to venf y ^ identities of communicating parties, 

rupted and become known to a potential interceptor. An and in which less computationally expensive encryption 

individual knowing the Ki or A-key of a user, or an indi- methods were used once identities are venfied. 

vidual who intercepts the Kc or SSD of the user in inter- crrx/iiwAPV nc top ikivrmtiom 

system communications, could also intercept and eavesdrop 55 aUMmMI U ^ m£i AIN VtiJN UUIN 

on communications that were intended to be secure and The present invention provides a method for secure 

private. Additionally, since each user's keys are available at communications between users in a telecommunications 

a base station with which they are communicating, system. The method provides a highly secure process by 

encrypted communications involving two mobile stations requiring that all authentication parameters of each of the 

connected through a base station of a system could be eo users, including each user's decryption key that is known 

breached at the base station. only to the user, are used to verify the identity of a user 

Public key encryption methods are methods in which a sending a communication to another user of the system by 

user is assigned an encryption key that is public, i.e., may be public key methods. During the authentication process, an 

known and revealed publicly, but is also assigned a private encryption key for use in communications between the two 

decryption key that is known only to the user. Only an 65 users may also be generated. The generated encryption key 

intended receiving user's decryption key can decrypt an may be a private session key. Once the initial authentication 

encrypted message meant for the intended receiving user, is completed, the private session key can be used to perform 
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encryption that is less computationally demanding than computatioDally impossible to find any two different pairs of 

public key methods. values for the variables t and p giving the same result for 

In an embodiment of the invention, two communicating f(t,p), i-e., if different pairs of values for t andp are randomly 

users may use the method to authenticate each other and chosen the chances of f(t,p) generating the same result is 

generate an encryption key that is used to encrypt subse- 5 near zero - E0 > f (t>p) aod A0 are known by all users utilizing 

quent communications between the users. During the pro- tne method, including mobile stations and banks in the 

cess of this embodiment, two session keys are generated. A system that operate according to the invention. Upon initia- 

first session key is used only in the authentication process, tion of service of a mobile station Mx operating according 

and a second session key is used in both the authentication to the invention, a public key algorithm Amx having keys 

process and as the key for encrypting subsequent commu- 1° Emx and Dmx is assigned to mobile station Mx. Mx is also 

nications. The use of two session keys requires that each of assigned an identity mx. The identity mx is used to compute 

the two users apply its decryption key in order to complete a certificate Cmx for Mx where Cmx=D0(f(mx,Emx)). 

the authentication and encryption key agreement process Similarly, each bank Bax operating according to the inven- 

successfulty. l i° n * s assigned a public key algorithm Abax, having keys 

The system is assigned a public key algorithm AO having 15 Ebax and Dbax and is also assigned an identity bax used to 

a public key E0 and a private key DO. A function f(t,p) is also ™ m pute a certificate Cbax for Bax where Cbax=D0(f(bax, 

defined so that it is computationally impossible to find any ®>*x)). The authentication triplet for Mx is (mx,Emx,Cmx) 

two different pairs of values for the variables t and p giving ™ d ^ e authentication triplet for Bax is (bax,Ebax,Cbax). 

the same result for f(t,p), i.e., if different pairs of values for ^ ^entities mx and bax may be distinguished as mobile 

t and p are randomly chosen the chances of f(t,p) generating 20 statl ? n * nd bank identities respectively, to prevent a mobile 

the same result is near zero. E0, f(t,p) and AO are known at user s ldentlties bein S ™ri t0 impersonate a bank, 

all mobiles stations and base stations in the system that Users mav deposit or withdraw electronic cash in or from 

operate according to the invention. Upon initiation of ser- a bank and transfer the cash to other users. The electronic 

vice of a mobile station Mx operating according to the cash includes a statement of the amount and the authenti- 

invention, a public key algorithm Amx having keys Emx and 25 cation parameters, including a bank certificate, of the bank 

Dmx is assigned to mobile station Mx. Mx is also assigned m whicn the electronic cash originated. Each time two users 

an identity mx. The identity mx is used to compute a directly communicate, they authenticate each other and 

certificate Cmx for Mx where Cmx=DO(f(mx,Emx)). generate a session key using the authentication and key 

Similarly, each base station Bx operating according to the agreement method described above for the first embodiment 

invention is assigned a public key algorithm Abx, having 30 of the invention, with the users as the communicating parties 

keys Ebx and Dbx, and is also assigned an identity bx used in P lace of the mobile Mx and base station Bx. Each user 

to compute a certificate Cbx for Bx where Cbx=D0(f(bx, ma y be a mobile station or a bank. When electronic cash is 

Ebx)). The authentication triplet for Mx is (mx,Emx,Cmx) transferred between two users, after authentication and key 

and the authentication triplet for Bx is (bx,Ebx,Cbx). The agreement between the two directly communicating users, 

identities mx and bx may be distinguished as mobile station 35 all authentication parameters of the bank in which the 

and base station identities, respectively, to prevent a mobile electronic cash originated are verified by the receiving user. 

user's identities being used to impersonate a base station. 

A( t . t t e ' , . . BRIEF DESCRIPTION OF THE DRAWINGS 
At the start or the key agreement and authentication 

procedure, base station Bx sends the triplet of Bx to mobile ^ A more complete understanding of the method of the 

station Mx. Mx then uses the bx and Ebx values of the triplet present invention may be had by reference to the following 

in f(bx ; Ebx) to verify the certificate Cbx of Bx. Mx then detailed description when read in conjunction with the 

selects an encryption key kl and sends Ebx(kl) to Bx. Bx accompanying drawings wherein: 

next decrypts Ebx(kl) using Dbx. Mx next sends its triplet FIG. 1 illustrates a block diagram of a telecommunica- 

that has been encrypted using kl to Bx. Bx decrypts Mx's 45 tions system that provides authentication and key agreement 

triplet using kl and uses the mx and Emx values of the triplet according to an embodiment of the invention; 

in f(mx,Emx) to verify the certificate Cmx of Mx. Bx then n . „ . . , 

selects a new encryption key k2 and sends Emx(k2) to Mx. , Fla ?. M a fl ° w * a Sf am sho ™ n S P rocess «^ps performed 

Mx next decrypts Emx(k2) using Dmx. Both Mx and Bx are 10 P^vide authent.cat.on and key agreement be ween a 

now authenticated and in subsequent communications may m moblle StaU ° n and baSe f'™ °P erat]n e the lele ' 

. . , i 1 1 50 communications system of FIG. 1: 

communicate securely using the key k2. J 

t 1 , ,. . c ., . ,. FIG. 3 illustrates a block diagram of a telecommunica- 

In another embodiment of the invention, the method may 4 . .... ., , . • , /• 

be used for electronic cash transfer or the transfer of other tl0ns that f ec ^ e ! ectr0 , mc cas ^ transfer 

a j * ■ i j * "tu u i , , *■ accordmg to an embodiment of the invention; and 

confidential data. The process may be used to transfer b ' 

electronic cash between users of a telecommunications 5S FIGS - 4A and 46 are flow diagrams showing process 

system. In this embodiment, each user that communicates ^P 5 performed to provide secure electronic cash transfer 

directly with another user authenticates the other user by wilhin the telecommunications system of FIG. 3. 

verifying all authentication parameters of the other user. TrmriNT nt? ™ 

Each pair of communicating users also agrees on a key for DETAILED DESCRIPITON OF THE 

communications between the two users. Also, each time a 60 INVbNIION 

communication originating at a particular user is passed FIG. 1 illustrates a block diagram of a telecommunica- 

from one user to another, all authentication parameters of the tions system 100 constructed according to an embodiment of 

user originating the communication are verified by the me invention. System 100 comprises base stations Bl and 

receiving user. B2; i an d line network 142, and mobile stations Ml and M2. 

For the transfer of electronic cash, the system is assigned 65 Although shown to include two base stations and two mobile 

a public key algorithm AO having a public key E0 and a stations, system 100 may comprise more or fewer base 

private key DO. A function f(t,p) is also defined so that it is stations or mobile stations than are shown in FIG. 1. The 
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mobile stations Ml and M2 may be mobile telephones that A function f(t,p) is also defined so that it is computationally 

provide speech communications between a user of Ml or impossible to find any two different pairs of values for the 

M2 and another mobile telephone, or between the user and variables t and p giving the same result for f(t,p), i.e., if 

a land line telephone connected to landline network 142. different pairs of values fort andp are randomly chosen the 

Mobile stations Ml and M2 may also be any other type of 5 chances of f(t,p) generating the same result is near zero. For 

mobile communications device capable of operating accord- example, the function f(t,p) may be a hushing function 

ing to the system standard for system 100, such as a personal H(t,p), commonly used to shorten transmitted messages, 

communications device or a laptop computer operating where the value H(t,p) is the exclusive-or operation done 

through a wireless modem. Landline network 142 may be a between t and p. E0, f(t,p) and AO are known at all mobile 

public switched telephone network (PSTN) or a private 1Q stations and base stations in system 100 that operate accord - 

landline network for system 100 that includes mobile ing to the invention. Upon initiation of service of a mobile 

switching centers for controlling call routing, registration station Mx, where x equals an integer, operating according 

and hand-off of a mobile from one base station to another in to the invention in system 100, a public key algorithm Amx 

system 100. In system 100, mobile stations Ml and M2 may having keys Emx and Dmx is assigned to mobile station Mx. 

move about the coverage area of system 100 while commu- 15 Mx is also assigned an identity mx. The identity mx is used 

nicating with the base stations of system 100 through RF to compute a certificate Cmx for Mx where Cmx='D0(f(mx, 

links. In FIG. 1, mobile stations Ml and M2 are shown to be Emx)). Similarly, each base station Bx, where x equals an 

communicating with base stations Bl and B2, respectively, integer, operating according to the invention is assigned a 

over RF links 144 and 146, respectively. System 100 may public key algorithm Abx, having keys Ebx and Dbx, and is 

operate according to any telecommunications system stan- 20 also assigned an identity bx used to compute a certificate 

dard that provides a digital interface over the RF links Cbx for Bx where Cbx=DO(f(bx,Ebx)). The authentication 

between mobile stations Ml and M2, and base stations Bl triplet for Mx is (mx,Emx,Cmx) and the authentication 

and B2. The design and operation of digital telecommuni- triplet for Bx is (bx,Ebx,Cbx), The identities mx and bx may 

cations systems is known and will not be described in detail be distinguishable within the system as mobile station and 

here. System 100 may be implemented in any number of ^ base station identities, respectively, to prevent a mobile 

ways. For example, the digital RF interface in system 100 user's identities being used to impersonate a base station, 

may operate according to a standard similar to the Telecom- The key functions Emx, Dmx, Ebx and Dbx may be 

munications Industry Association/Electronic Industry Asso- chosen according to the Rabin criteria. In the Rabin algo- 

ciation (TIA/EIA) IS-136, IS -95, and PCS 1900 standards or rithm for this example, two prime numbers p and q are 

the European GSM standard. 30 chosen using a selected predefined number N, where pxq=N, 

Mobile station Ml includes a transceiver unit 104 coupled and p=4k 1 +3, and, q=4 1^+3, and where kj and k^ are 

to an antenna 102 for receiving radio signals from and constants. N may be publicly known, while p and q must be 

transmitting radio signals to base stations of system 100. kept private. Emx is defined as Emx(c)=(c) 2 mod Nmx, and 

Mobile station Ml includes a user interface 108, which Dmx is defined as Dmx(c)=c I/2 mod Nmx, where c is the 

could be a computer keyboard or a mobile telephone handset 35 encrypted value. To solve Dmx(c) for c in , the equations 

with a keypad, microphone and earpiece. Control unit 106 in x 2 =c mod p, and x 2 =c mod q, are solved using the solutions, 

mobile station Ml controls RF channel selection and other Xj-zc^ 1 ^ 4 , and x 2 =±c (?+i;)/4 . If two values a and b are 

system functions in the conventional manner, and a logic found such that ap+bq=l, then o 1/z can be found by the 

unit 112 controls the general operation of the mobile station. equation c 1/2 =bq X!+apx 2 mod Nmx. The process for using 

Logic unit 112 may also be utilized to implement and 40 Dbx and Ebx, and the process for using E0 and DO is 

perform encryption and decryption functions on transmitted identical to the process for using Emx and Dmx. The 

and received messages according to the embodiment of the certificate Cmx=D0(f(mx,Emx))-(f(mx,Emx)) x/2 mod NO 

invention. Display 110 provides a general visual interface to and the certificate Cbx=D0(f(bc,Ebx))=(f(bx,Ebx)) 1/2 mod 

the user of mobile station Ml and is under control of logic NO. A general description of the Rabin algorithm is given in 

unit 112. Mobile station M2 includes transceiver unit 116, 45 the book, "Cryptography, Theory and Practice/' by Stinson, 

user interface 120, control unit 118, logic unit 124, and published by CRC, 1995, at pages 143-148. 

display 122, each having the function as described for the As an alternative, the key functions Emx, Dmx, Ebx and 

corresponding section of mobile station Ml. Dbx may be chosen according to the Rivest, Shamir and 

Base station Bl includes a transceiver unit 136 coupled to Adleman (RSA) criteria. In RSA two (large) prime numbers 

antenna 134 for receiving radio signals from and transmit- 50 p and q are first selected, where pxq=N. Two other values, 

ting radio signals to mobile stations. Bl also includes control a2 and b2, are then chosen, where (a2)(b2)=l mod (p-1) 

unit 138 and processor 140. Control unit 138 controls RF (q-1)- N and a2 may be public, and b2 must be kept private, 

channel selection and assignment by generating the appro- Em2 and Dm2 are then defined as Em2(c)=^c) a2 mod N, and 

priate control messages to mobile stations, and also controls Dm2=(c) w mod N. A detailed description of the RSA 

other necessary system functions such as interfacing with 55 algorithm is given in the book, "Digital Money," by Lynch 

landline network 142. Processor 140 may be utilized to et al., published by John Wiley and Sons, 1996, at pages 

implement and perform encryption and decryption functions 76-86. 

used for communications security. Base station B2 includes The flow diagram of FIG. 2 illustrates an example in 

transceiver unit 128, antenna 126, control unit 130 and which the key agreement and authentication procedure is 

processor 132, each having the function as described for the eo used for communications between mobile station Ml and 

corresponding section of base station Bl. base station Bl. In the example shown, the process begins at 

Referring now to FIG. 2, therein is illustrated a flow base station Bl, although the process may begin at either Ml 

diagram showing process steps performed to provide key or Bl. The process starts at step 200 where the key agree - 

agreement and authentication within a telecommunications ment and authentication procedure is initiated in Bl. At step 

system operating according to an embodiment of the inven- 65 202 Bl sends the triplet (bl,Ebl, Cb) to Ml. Next, at step 

tion. In this embodiment, the system is assigned a public key 204, Ml computes f(bl,Ebl) from the received values bl 

algorithm AO having a public key E0 and a private key DO. and EbL The process then moves to step 206 where Ml 
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authenticates Cb by making a determination as to whether or 
not the computed f(bl,Ebl) is equal to EO(Cb), where Cb is 
the value Cb received from Bl in the triplet (bl ,Ebl, Cb). 
If f(bl,Ebl) does not equal EO(Cb), Cb is not authenticated 
and the triplet received in step 202 may have been sent by 
an impersonator of Bl. In this case the process moves to step 
208 and ends. If, however, f(bl,Ebl) equals EO(Cb), Cb is 
authenticated, and the process moves to step 210. 

At step 210 Ml selects an encryption key (kl). Next, at 
step 212, Ml applies Ebl to kl to generate Ebl(kl) and 
sends Eb(kl) to Bl. After receiving Ebl(kl) from Ml, Bl 
then, at step 214, applies Dbl to Ebl(kl) to generate 
Dbl(Ebl(k))=kl. Next, at step 216, Ml encrypts Mi's 
triplet (ml,Eml,Cml) using kl and sends the encrypted 
triplet to Bl. After receiving the encrypted triplet, Bl then 
decrypts the encrypted triplet at step 218 using kl to 
regenerate the triplet (ml,Eml, Cml). Next, at step 220, Bl 
computes f(ml.Eml) using the values ml and Eml received 
in the triplet from Ml. The process then moves to step 222 
where Bl authenticates Cm by making a determination as to 
whether or not the computed f(ml,Eml) is equal to EO(Cm), 
where Cm is the Cm received from Ml in the triplet. If 
f(ml,Eml) does not equal E0(Cm), Cm is not authenticated 
and the triplet may have been sent by an impersonator of 
Ml. In this case, the process moves to step 224 and ends. If, 
however, f(ml,Eml) equals E0(cm), Cm is authenticated 
and the process moves to step 226. 

At step 226 Bl selects a new encryption key (k2). Bl will 
use k2 for subsequent encryption. Next, at step 228, Bl 
applies Eml to k2 to generate Eml(k2). Then, at step 230, 
Bl encrypts Eml(k2) using kl and sends the encrypted 
Eml(k2) to Ml. After receiving the encrypted Eml(k2) Ml 
decrypts the encrypted Eml(k2) at step 232, and applies 
Drnl to Eml(k2) to generate Dml(Eml(k2))=k2. Next, at 
step 234, Ml assigns k2 as its session encryption key. Ml 
and Bl can now engage in encrypted communications using 
the session key k2. The key authentication and assignment 
process then moves to step 236 and ends. 

In the process of FIG. 2, steps 200-214 authenticate Bl to 
Ml. In order to impersonate Bl, an imposter X has to send 
the identical triplet (bl,Ebl, Cbl) to Ml because of the 
property of the function f(bl,Ebl). Even if X succeeds in 
obtaining the triplet (bl,Ebl,Cbl), step 214 prevents X from 
getting the key kl and continuing in the communications. 
Steps 216-232 authenticate Ml to Bl. If an imposter X 
succeeds in obtaining Mi's triplet (ml,Eml, Cml), step 232 
will prevent X from getting the key k2 and continuing in the 
communications. The encryption using kl also prevents an 
imposter from intervening in at step 218 and impersonating 
the base station. 

In another embodiment of the invention, the method of 
authentication and key agreement may be utilized to provide 
the secure flow of electronic cash. Referring now to FIG. 3, 
therein is illustrated a telecommunications system for the 
transfer of electronic cash. The system 300 comprises sys- 
tem 100 of FIG. 1, Bankl and Bank2. Bankl and Bank2 are 
connected to the landline network 142 through conventional 
phone lines 302 and 304, respectively. System 100 is as 
described for FIG. 1. Bankl and Bank2 each include tele- 
communications equipment capable of encrypting and 
decrypting messages received over phone lines 302 and 304, 
similarly to control unit 106 and logic unit 112 of mobile 
station Ml. The electronic cash transfer takes place with the 
mobile stations Ml and M2 and the banks Bankl and Bank2 
as the endpoints of the electronic cash flow. Authentication 
and key agreement is done between the endpoints of the 
electronic cash flow. Authentication and key agreement 
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between any of the mobiles, Ml and M2, and the banks 
Bankl and Bank2 may be done by the process of FIG. 2 with 
the two communicating parties in place of Ml and Bl in the 
process. While the communications between the mobiles, 

5 Ml and M2, and base stations, Bl and B2, may be encrypted 
as described for FIG. 2, this is optional. Any authentication 
and key agreement between the mobile stations and base 
stations will be transparent and at a different level than the 
authentication and key agreement for the electronic cash 

10 transfer. 

In this embodiment of the invention a user of Ml is able, 
for example, to transfer cash electronically to a user of M2, 
As is done for the embodiment of FIG. 1, the system 300 is 
assigned a public key algorithm AO having a public key E0 

15 and a private key DO. A function f(t,p) is also defined so that 
it is computationally impossible to have any two different 
pairs of the variables t and p giving the same result for f(t,p), 
i.e., if different pairs of values for t and p are randomly 
chosen the chances of f(t,p) generating the same result is 

20 near zero. E0 and AO are known at all mobile stations and 
Banks in system 300 that operate according to the invention. 
Upon initiation of service of a mobile station Mx operating 
according to the invention in system 300, a public key 
algorithm Amx having keys Emx and Dmx is assigned to 

25 mobile station Mx. Mx is also assigned an identity mx. The 
identity mx is used to compute a certificate Cmx for Mx 
where Cmx=D0(f(mx,Emx)). Similarly, each bank Bankx 
operating according to the invention is assigned a public key 
algorithm Abax, having keys Ebax and Dbax, and is also 

30 assigned an identity bax used to compute a certificate Cbax 
for Bankx where Cbax=D0(f(bax,Ebax)). The authentication 
triplet for Mx is (mx,Emx,Cmx) and the authentication 
triplet for Bankx is (bax,Ebax,Cbax). The key functions for 
the embodiment of FIG. 3 may be similar to those described 

35 for the embodiment of FIG. 2. For example, the RSA or 
Rabin algorithms maybe used. The identities mx and bax 
may be distinguished as mobile station and bank identities, 
respectively, to prevent a mobile user's identities being used 
to impersonate a bank. 

40 Referring now to FIGS. 4A and 4B, therein are flow 
diagrams illustrating process steps performed during the 
transfer of electronic cash according to an embodiment of 
the invention. FIGS. 4A and 4B illustrate an example in 
which a user of mobile station Ml wishes to perform an 

45 electronic cash transfer to the user of M2. The process starts 
at step 400 when Ml initiates a call to Bankl. Next, at step 
402, Ml and Bankl authenticate each other and agree on a 
key kl. The authentication and key agreement of Step 402 
may be performed using the process described in FIG. 1, 

50 with Bankl in place of base station Bl. Next, at step 404, a 
random number N is selected at Ml, and Ml is also given 
an amount (AM) that the user of Ml desires to transfer to 
M2. At step 406 Ml computes f(N,AM), where AM is the 
amount to be transferred, and applies Dml to f(N,AM) to 

55 generate the f(N,AM) signed by Ml or Dml(f(N,AM)). 
Then, at step 408, Ml encrypts -N, AM and Dml(f(N,AM)) 
using kl, and at step 410, an encrypted statement including 
-N, AM and Dml(f(N,AM)) is sent by Ml to Bankl. The 
sign of N may be set negative to indicate that Ml is debiting 

60 the account belonging to the user of Ml by the amount AM. 
The sign is set only to indicate a debit is being made, and in 
all calculations N is assumed positive. After receiving the 
encrypted -N, AM and Dml(f(N,AM)) Bankl decrypts the 
statement at step 412 using kl to generate -N, AM and 

65 Dml(f(N,AM)). Next, at steps 414, 416 and 418, Bankl 
checks the integrity of the statement to ensure that it was 
sent from Ml. This check serves as a double check on the 



06/11/2002, EAST Version: 1.03.0002 



6,023,689 

11 12 

security of the process. At step 414, Bankl applies Eml to performed using the process described in FIG. 2, with, for 

Dml(f(N,AM)) to generate Eml(Dml(f(N,AM))=f(N,AM). example, M2 in place of Ml and Bank2 in place of base 

At step 416, Bankl computes f(N,AM) from the decrypted station Bl. Next, at step 464, M2 encrypts +N,AM, Dbal 

-N,AM. A determination is then made at step 418 as to (f(N,AM)) and the triplet (bal, Ebal, Cbal) using k3. At step 

whether or not the f(N,AM) computed in step 416 is equal 5 466 M2 sends the encrypted +N,AM, Dbal(f(N,AM)) and 

to the f(N,AM) received from Ml. If the two f(N,AM) the triplet (bal, Ebal, Cbal) to Bank2. After receiving the 

values do not match, the integrity of the statement has been message from M2 Bank2 then decrypts the encrypted 

compromised, and the process moves to step 420 and ends. +N,AM, Dbal(f(N,AM)) and the triplet (bal,Ebal,Cbal) at 

If, however, the two f(N,AM) values match, the statement is step 468. A determination is then made at step 470 as to 

verified and the process move to step 422. whether or not the certificate Cbal received from M2 is 

At step 422 Bankl deducts the amount AM from the authentic. At step 470, Bank2 computes f(bal,Ebal) from 

account of the user of Ml. Next, at step 424, Bankl applies the bal and Ebal received from M2 and compares the 

Dbal to f(N,AM) to generate Dbal(f(N 7 AM)). At step 426 computed f(bal,Ebal) with E0(Cbal)-E0(Dbal(f(bal, 

Bankl encrypts N,AM and Dbal(f(N,AM)) using kl. Bankl Eba . 1 )))- If ' he two f(bal,Ebal) values do not match, the 

then, at step 427, sends the encrypted statement including 1S ^ lfica j e °^ al |? n u ot vahd m * the P ™ ™ V ?x l ° f Up 

N,AM and Dbal(f(N,AM)) to Ml. The sign of N in the 15 412 t and A T ^Ebal) values 

statement may be set positive to indicate that Bankl is ™g ^ rtlficate ^ termed and the process moves 

sending a crediting statement, i.e., a statement that will XT \ „ \ - , , . A . r , 

A ° u ■ • ° A ' Jo U1 , . Next Bank2 checks the integnty of the statement to ensure 

credit ^ reccing party. ^ A step ' 428 Ml then decrypts the ^ i( wag orj ma[1 sent fr( f m ^ M ^ 

encrypted N,AM and i Dbal(fXN^M)) received from Bankl . 20 lies Ebal * Dt / al(f(N>AM)) to generate ^am). At 

Next, at steps 430, 432 and 434, Ml checks toe integnty of st m Bank2 computes f(N ^) from th ; decrypted 

the statement to ensure that it was sent from Bankl. At step N,AM. A determination is then made at step 478 as to 

430 Ml applies Ebl to Dbal(f(N,AM)) to generate f(N, whether or not the f(N,AM) computed in step 476 is equal 

AM). At step 432 Ml computes f(N,AM) from the decrypted t o the f(N,AM) received from M2. If the two f(N,AM) 

NAM. A determination is then made at step 434 as to 25 values do not match, the integrity of the statement has been 

whether or not the f(N,AM) computed in step 432 is equal compromised and the process moves to step 480 and ends. 

to the f(N,AM) received from Bankl. If the two f(N,AM) If, however, the two f(N,AM) values are equal, this verifies 

values do not match, the integrity of the statement has been that the statement was originally signed by Bankl, and the 

compromised and the process moves to step 436 and ends. process moves to step 482. At step 482 Bank2 credits the 

If, however, the two f(N,AM) values match, the statement is 30 account of the user of M2 with the amount AM. 

verified and the process moves to step 438. The teachings of this invention should not be construed to 

At step 438 Ml initiates a call to M2. Next, at step 440, be limited for use only with the telecommunications stan- 

Ml and M2 authenticate and agree on a session key k2. The dards described and should be construed to include any 

authentication and key agreement of step 440 may be simUar s y ste ms. Furthermore other encryption algorithms 

performed using the process described in FIG. 2, with Ml in 35 than those expressly disclosed above may be employed to 

place of base station Bl. Next, at step 442, Ml encrypts +N, practice this mventl0n - 

AM, Dbal(f(N,AM)) and the triplet (bal,Ebal, Cbal) using , ^ the mve °tion has been particularly shown and 

k2, and then sends the encrypted statement +N, AM, and described with respect to preferred embodiments thereof, 

Dbal(f(N,AM)) and the triplet (bal,Ebal,Cbal) to M2 at ™ d lt w ? ll f be understood by those skilled in the art that 

step 444. The value N is assigned a positive sign here to 40 1D f °™ ** d details ma y ^ without departing 

indicate that Ml is sending electronic cash that is credited to ^^^^ ° f mVentl ° n ' 

another's account. At step 446 M2 decrypts the message ^ ¥ a 15 f f ime 1S * . . . „ 

received from Ml using k2. A determination is then made at L ' n , a telecommunications system having a first and 

step 448 as to whether or not the certificate Cbal received secon6 A tonscervmg de^ce, wherein each of the first and 

from Ml is authentic. At step 448, M2 computes f(bal,Ebal) 45 SeC0 " d 'ranscevrng devices is assigned a decryption key and 

from the bal and Ebal received from Ml and compares the a P ubhc V '- f <™ s ™g 

computed f(bal,Ebal) with E0(Cbal)=E0(Dbal(f(bal, 15 aSSlened ldenUf y in B information, a method for providing 

Ebal))). If the two f(bal,Ebal) values do not match, the * e f cure ™umcations, ^thod comprising the steps 

certificate Cbal is not valid and the process moves to step ' 

450 and ends. If, however, the two f(bal,Ebal) values 50 selectm S a first session ke y at the second transceiving 

match, the certificate Cbal is verified and the process moves device; 

to step 452. encrypting the first session key using the public encryp- 

Next M2 checks the integrity of the statement to ensure l ioD ke y of sa * d first transceiving device to generate a 

that it was originally sent from Bankl. At step 452 M2 first messa S e 10 the second transceiving device; 

applies Ebal to Dbal(f(N,AM)) to generate f(N,AM). At 55 transmitting the first message to the first transceiving 

step 454 M2 computes f(N,AM) from the decrypted N,AM. device; 

A determination is then made at step 456 as to whether or not decrypting the first message, at the first transceiving 

the f(N,AM) computed in step 452 is equal to the f(N,AM) device using the decryption key of the first transceiving 

received from Ml. If the two f(N,AM) values do not match, device to generate said first session key; 

the integrity of the statement has been compromised and the 60 encrypting the identifying information in said second 

process moves to step 458 and ends. If, however, the two transceiving device using said first session key to 

f(N,AM) values are equal, this verifies that the statement generate a second message; 

was originally signed by Bankl, and the process moves to transmitting said second message from the second trans- 
step 460. ceiving device to the first transceiving device; 

At step 460 M2 initiates a call to Bank2. Next, at step 462, 65 decrypting the second message at the first transceiving 

M2 and Bank2 authenticate and agree on a session key k3. device using said first session key to generate the 

The authentication and key agreement of step 440 may be identifying information; 
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verifying the identity of the second transceiving device 
using the identifying information; and 

in response to a positive verification in said step of 
verifying the identity of the second transceiving device: 
selecting a second session key at said first transceiving 5 
device; 

encrypting said second session key using the public 
encryption key of the second transceiving device to 
generate a third message in the first transceiving 
device; 10 

transmitting said third message to the second transceiv- 
ing device; 

decrypting said third message, at the second transceiv- 
ing device using the decryption key of the second 
transceiving device to generate said second session 15 
key; and 

using said second session key to encrypt subsequent 
communications between the first and second trans- 
ceiving devices. 
2. The method of claim 1, wherein said system is assigned 20 
a decryption key and a public encryption key, and wherein 
said method further comprises the steps of: 

calculating and assigning a certificate for the second 
transceiving device by applying the decryption key of 



14 

the system to a resultant value of a selected function, 
wherein the selected function has as inputs the public 
encryption key of the second transceiving device and 
the identifying information. 

3. The method of claim 2, wherein the identifying infor- 
mation comprises an identity field and said step of encrypt- 
ing the identifying information comprises encrypting said 
identity field, the public encryption key of the second 
transceiving device, and said certificate assigned to the 
second transceiving device using said first session key to 
generate a second message. 

4. The method of claim 3, wherein said step of verifying 
comprises: 

using said identity field and said public encryption key of 
the second transceiving device received in the second 
message as inputs to said selected function to generate 
a first result; 

applying the public encryption key assigned to the system 
to said certificate assigned to the second transceiving 
device to generate a second result; and 

determining whether said first and second results are 
equal. 

***** 
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